ecs-task-definition-user-for-host-mode-check - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).


Checks for unauthorized permissions in your latest active Amazon Elastic Container Service (Amazon ECS) task definitions that have NetworkMode set to host. The rule is NON_COMPLIANT for task definitions with NetworkMode set to host, and container definitions of privileged set to false or empty, and user set to root or empty.


We recommend that you remove elevated privileges from Amazon ECS task definitions. When privileged is true, the container is given elevated permissions on the host container instance (similar to the root user). When running tasks that use the host network mode, do not run containers using the root user (UID 0) for better security. As a security best practice, always use a non-root user.


Resource Types: AWS::ECS::TaskDefinition

Trigger type: Configuration changes

Amazon Web Services Region: All supported Amazon regions except Middle East (UAE), Asia Pacific (Osaka), Asia Pacific (Melbourne), Israel (Tel Aviv), Canada West (Calgary) Region


SkipInactiveTaskDefinitions (Optional)
Type: boolean

Boolean flag to not check INACTIVE Amazon EC2 task definitions. If set to 'true', the rule won't evaluate INACTIVE Amazon EC2 task definitions. If set to 'false', the rule will evaluate the latest revision of INACTIVE Amazon EC2 task definitions.

Amazon CloudFormation template

To create Amazon Config managed rules with Amazon CloudFormation templates, see Creating Amazon Config Managed Rules With Amazon CloudFormation Templates.